Malware Analysis Report

2024-11-13 16:45

Sample ID 240710-bfjxcawhqk
Target 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe
SHA256 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506
Tags
amadey stealc 4dd39d hate discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506

Threat Level: Known bad

The file 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d hate discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Identifies Wine through registry keys

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 01:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 01:05

Reported

2024-07-10 01:07

Platform

win7-20240705-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe
PID 1720 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe
PID 1720 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe
PID 1720 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe
PID 2032 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2032 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2032 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2032 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2136 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ef3aac9dd8.exe
PID 2136 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ef3aac9dd8.exe
PID 2136 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ef3aac9dd8.exe
PID 2136 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\ef3aac9dd8.exe
PID 2136 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe
PID 2136 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe
PID 2136 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe
PID 2136 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe
PID 2496 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2496 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1496 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2504 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1880 wrote to memory of 2460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe

"C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCFBFHIEBK.exe"

C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe

"C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\ef3aac9dd8.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\ef3aac9dd8.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.0.1059971689\1641573668" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbb88ce4-6d0f-44c3-be64-0c5ec8965b08} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 1292 123d7c58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.1.869463089\982193721" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fc4952a-5fbe-4b29-9f89-235cd61fc785} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 1492 e71f58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.2.433189654\699936542" -childID 1 -isForBrowser -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99fcf571-1e02-4f53-9a37-e1fb5af2fc2d} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 2056 1a79e358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.3.740718208\307137289" -childID 2 -isForBrowser -prefsHandle 2848 -prefMapHandle 2844 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b79abdcb-448a-4306-8a26-c239bf6ce708} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 2860 e6a258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.4.1464790577\1015238605" -childID 3 -isForBrowser -prefsHandle 3844 -prefMapHandle 3836 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe060ec9-08aa-4bd4-85e8-085532ef2d1a} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 3856 209f1c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.5.499189530\384829824" -childID 4 -isForBrowser -prefsHandle 3960 -prefMapHandle 1076 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5032af2c-d1b9-4de7-a770-190280704c67} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 3948 209f2858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.6.671431553\318266240" -childID 5 -isForBrowser -prefsHandle 4140 -prefMapHandle 4144 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b352aed3-5be3-4741-9271-16913949d0df} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 4132 22487158 tab

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:49361 tcp
N/A 127.0.0.1:49367 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 52.33.222.107:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 142.250.180.14:443 youtube-ui.l.google.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2---sn-aigzrnse.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigzrnse.gvt1.com udp
GB 74.125.168.199:443 r2.sn-aigzrnse.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp

Files

memory/2436-0-0x00000000012A0000-0x0000000001E85000-memory.dmp

memory/2436-1-0x00000000012A0000-0x0000000001E85000-memory.dmp

memory/2436-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2436-57-0x00000000012A0000-0x0000000001E85000-memory.dmp

memory/2436-65-0x00000000012A0000-0x0000000001E85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe

MD5 a7ae46b0e7a0e279a3ac3151958fef99
SHA1 7d3d8c2c1dea8b585f58bab81c9fa86afc7576fe
SHA256 f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
SHA512 48e59e2c32fd089a4cfcbbea546c936a004a1329bf908c4f8c2f22438d5c787416b3bd497072c4d450decabdd329b3c5ceb60f8fbd1f1531f4bc82be33e85107

memory/2032-69-0x00000000011D0000-0x00000000016A7000-memory.dmp

memory/2032-115-0x00000000011D0000-0x00000000016A7000-memory.dmp

memory/2136-116-0x00000000008B0000-0x0000000000D87000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\ef3aac9dd8.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/2136-138-0x0000000006920000-0x000000000750D000-memory.dmp

memory/2136-139-0x0000000006920000-0x000000000750D000-memory.dmp

memory/1840-140-0x0000000000920000-0x000000000150D000-memory.dmp

memory/1840-141-0x0000000000920000-0x000000000150D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\2f1c4f3162.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

memory/2136-156-0x00000000008B0000-0x0000000000D87000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs.js

MD5 2df5187dcaf6e65c2c7b98c2d5e8cbb6
SHA1 e772222297123549e2af40d914166db72077e0e8
SHA256 7a4a1b4a0fc5e4a8c2b2667a0df28c39e888303e40dcc5d44f4df491fc8ae66b
SHA512 e460ee01035e5af77fa761400e8f33c191b0bd642473ea45f92187ce843d4450c8cb1f3b73b61813bc0ae0269899c33b132bd2b676d6ef09aeee41dd11601e85

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\db\data.safe.bin

MD5 c8a1807cba6e66a1439b5a3adbee5ca9
SHA1 c2b60fbf50b440abf83b6c9cd9b0a49ef8c4c856
SHA256 ba579a8a87cfc7d66a2ddefc8f9d80a8f7eb305cc7c577e24a9cd7adbd263220
SHA512 85e8a145cd299a367dc387ea967a1d69b7c5ecd3b613461bb51b1b22c79a5069cd894fb57dc61ee2cc72830e639c4beca2d96bbe489ee727ccb196f2a6deec43

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\56850c19-34e7-4fed-88da-0f24c56f1311

MD5 aea4e403ceef35486670599fda2052ef
SHA1 bcc5670fa0a40a5d34a1aafb967f63bcecfe50ae
SHA256 555c7d1266d7cc87eb9919ad52b7db9928c7ad2157aaf4e3a1ddea2e5024c262
SHA512 82c9986883ae1b3282037697319931f5a65b7236a46211cf6e06c153d68e5ecbbee89b26fa24ac1c8577bc34a125477ab0c4eeb0196bf5f0d7ddb6b4a02e5492

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp

MD5 c267c02f4e671f4d45495d2c57f36f0a
SHA1 2672fd2982dbf98baed1f263203fbef0e2044c58
SHA256 c8a10d123b38d512910d30f09e23d552e0e373a8fd7d250e0c0215401cab861a
SHA512 4a41e37b10b498c29a3e5fb7cfe0d6fd6f866bd872d13a598d421dadac292c05f158430e01aa59224ce8c37dc2c8eba55fa2b3e8f1f32c41824f69d348e5b422

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp

MD5 572c583d7d1d4f0cf084cec07061ac97
SHA1 9ad987fac6df9c95befb2f56142ff67380d46149
SHA256 11ed037233cc6c8c97687f503a2def75686716f2fccbd2b86e9db335c4b525ef
SHA512 90c25dcfad7d2ae57500c98b2162100bb7ebc7128553f7b67dd8f1d25c14aa48628c1b3fe1db4018711cdadcfaa1105b5cbd2bfd088ee18958b2e02980a3a059

memory/2136-280-0x00000000008B0000-0x0000000000D87000-memory.dmp

memory/2136-283-0x0000000006920000-0x000000000750D000-memory.dmp

memory/2136-284-0x0000000006920000-0x000000000750D000-memory.dmp

memory/1840-285-0x0000000000920000-0x000000000150D000-memory.dmp

memory/2136-286-0x00000000008B0000-0x0000000000D87000-memory.dmp

memory/2136-298-0x00000000008B0000-0x0000000000D87000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore-backups\recovery.jsonlz4

MD5 f5bea6333e6af33c68a1472b4def2a57
SHA1 11223ef51fe693fa582211e05b99cf0f5735e9ca
SHA256 637b9de1172e20eec6ec925b9872139925c9217d226383239f9735aa6bd61678
SHA512 26139eb7871aa871bb018a78f5646621677580578e6c92024b51b3e7e7f6c7e10080b467eb8c1e386a008375d0469efc65696a576c4d0bb50bf6ae5861500e77

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs.js

MD5 0f700c05f0d941eaf49faad5f51faed6
SHA1 bfb6052b4e6d5c330a1fe8404de9779c0853915c
SHA256 16f71e6c9be6bd3d2a813739b4ebc4f1dd4e413f1646e1fbc6563e12e395c143
SHA512 4f5989b8e364c5d7c852471abe7d20eafd0eb87fb55072fb5fd76e51f746075048c5f9e0ea579bcce1125f1e0f842d9e541ab5ab04625c605ddf2617bb039397

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs.js

MD5 52e453024ebb43adb556a9107bc64c58
SHA1 ca858b33b918833c3d0f9f1244928898f6b9b8b1
SHA256 7441e550134695ac1b63fd16b9ca4f5c700d0bb3a897889c53d162d55568d12e
SHA512 468ef14308ed082f1f51a6bcd2dd349712fbd11b44254a79f4b48380bf404b3b2dd75aa77df6055e639bdbd055fcb3e9db5117f43d0cc6fa10f7149d8396d4d2

memory/2136-376-0x00000000008B0000-0x0000000000D87000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

MD5 0ee77ed70301445f023be3e17926ffb4
SHA1 5851f076cc5b15730d4672dafb30bcce26de5666
SHA256 43aa7471a92f65dd67a4821d2a9b70a453e417f65e0c079cdc71901973efe9a1
SHA512 d849a3969c16de2193b8589195beee3c4a3ae50640168a4da45b18cef5ff276ace07d56e76bffcedb3f591576bfeb95a9faf0bd34ccc05b4aa63808a88673baa

memory/2136-388-0x00000000008B0000-0x0000000000D87000-memory.dmp

memory/2136-390-0x00000000008B0000-0x0000000000D87000-memory.dmp

memory/2136-395-0x00000000008B0000-0x0000000000D87000-memory.dmp

memory/2136-403-0x00000000008B0000-0x0000000000D87000-memory.dmp

memory/2136-404-0x00000000008B0000-0x0000000000D87000-memory.dmp

memory/2136-405-0x00000000008B0000-0x0000000000D87000-memory.dmp

memory/2136-406-0x00000000008B0000-0x0000000000D87000-memory.dmp

memory/2136-407-0x00000000008B0000-0x0000000000D87000-memory.dmp

memory/2136-408-0x00000000008B0000-0x0000000000D87000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 01:05

Reported

2024-07-10 01:07

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe
PID 5060 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe
PID 5060 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe
PID 1072 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1072 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1072 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4796 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0aca70c242.exe
PID 4796 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0aca70c242.exe
PID 4796 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\0aca70c242.exe
PID 4796 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe
PID 4796 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe
PID 4796 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe
PID 4264 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4264 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4896 wrote to memory of 4920 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4920 wrote to memory of 2552 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe

"C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHJEHJJDAA.exe"

C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe

"C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\0aca70c242.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\0aca70c242.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9079819-9860-4263-90b6-79bdda0482d4} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f551bbd-4c3f-470e-a6e6-fae2f6fb3dc3} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1736 -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 2764 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d6a1d45-7009-4a37-ae59-14d80f5ebf73} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2d57aee-6cda-4e51-a658-5b8d4382c1ad} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4708 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a706073-a32e-4023-b8bf-179a27c6256f} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -childID 3 -isForBrowser -prefsHandle 5556 -prefMapHandle 4468 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e924bda-6f12-4bb1-abec-2e4837fec1dd} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 4 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d47276c9-6271-4889-ad88-c0b977c5a1b7} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5852 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4a9c942-e117-49af-97bd-e9954fd27e0b} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" tab

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
RU 85.28.47.30:80 85.28.47.30 tcp
N/A 127.0.0.1:53092 tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
GB 216.58.201.110:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 228.192.238.44.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
N/A 127.0.0.1:53350 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/2268-0-0x0000000001000000-0x0000000001BE5000-memory.dmp

memory/2268-1-0x000000007ED90000-0x000000007F161000-memory.dmp

memory/2268-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2268-76-0x0000000001000000-0x0000000001BE5000-memory.dmp

memory/2268-77-0x000000007ED90000-0x000000007F161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe

MD5 a7ae46b0e7a0e279a3ac3151958fef99
SHA1 7d3d8c2c1dea8b585f58bab81c9fa86afc7576fe
SHA256 f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
SHA512 48e59e2c32fd089a4cfcbbea546c936a004a1329bf908c4f8c2f22438d5c787416b3bd497072c4d450decabdd329b3c5ceb60f8fbd1f1531f4bc82be33e85107

memory/1072-81-0x0000000000E00000-0x00000000012D7000-memory.dmp

memory/1072-82-0x0000000077A94000-0x0000000077A96000-memory.dmp

memory/1072-96-0x0000000000E00000-0x00000000012D7000-memory.dmp

memory/4796-94-0x0000000000560000-0x0000000000A37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\0aca70c242.exe

MD5 1552573045f153aa7269a30d3a1dd151
SHA1 d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA512 8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

memory/3524-112-0x00000000009F0000-0x00000000015DD000-memory.dmp

memory/3524-114-0x00000000009F0000-0x00000000015DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe

MD5 bea6ed281b600eae06be252f581721c1
SHA1 25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256 d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512 746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs.js

MD5 40308ccf341e8fa6d3842d7042e05e50
SHA1 31f0095f3b6b06197f912e975f90b31a5bfe24d6
SHA256 3d137842616474208cc96a9e1849a3826aa49ffb99e65453aa620c599f6b444b
SHA512 f3ef8597e4c162bee92f1ebec44db655a85f9173a672e0e2178c97237f3e945d3403923cdc52102aa38517aaa90e77fb1c3896acce40fe4a694e3a35216265ad

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\activity-stream.discovery_stream.json.tmp

MD5 64019d8dbbaddd0e8da5a4787cf525c1
SHA1 976bb146d69e83b79bb91a94309441a95afdee5a
SHA256 bd7bcf18ad06fac16e775908c1c3a116119116e8e1941c2545ffd2f3666c4194
SHA512 2c634771da1a0e4594ee41da4c98b03f5aa2420be126f22277ca22d04ef6d17d26587cd1a583c474736e843b443141c67fcda66cefcdd8227c59e8a4039a1fa5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 e8db935b8258081250c04a780051be4f
SHA1 59ead5e88df85f63f738fb49f48d4cb0806b69d6
SHA256 85fe18ebd8144280ef4535d1f205872b2110c5cb471551943087137b9199be90
SHA512 ef9abbf015a3d4795a270d5c810f46688561d574d018050ff542f06c557a2f7854718e62f0ac9028534bd4d4030e92cb1bbaebbcd70608987697b67d8213d661

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\a6ac749f-690e-4b73-b83d-3f973c7596c0

MD5 8b1ca0e0838c8d16d48d2c11f082a056
SHA1 09188d9e5bdecad0148831a652c00dd7d776859b
SHA256 2e6c64685b456db219f1815087bb5b10b5699597d4dc08c6eefe6b408981ac32
SHA512 87c39eccfa353e7caeaee2e01dcf69b7df30bae42a9aa44f5782b1acfaa496c4ccad9fdc3fa80c03d5a962e4c81b2316f6eae82a4fbd9a6243a466ffe756c573

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\eb6b8aa6-79c9-4109-b4d2-9bd6e5de8654

MD5 088d1da5ea1b2fd65421170c9a07ad2a
SHA1 67bb59c2a6f4485206a737cda84c05b6f5d5c6ee
SHA256 9403ca632d3240d0179b9c2a7cd82ea6af4d2b41d63c28fd8f9824d6ca475cd9
SHA512 c943f73db121f402082a8730557aab7e5feef9435f77bc64721b3a2252d2f31d4067785c73af8837695c0fa65d1b55d7a83638e3b91dd21721fefe1c035716a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 c0786db7b86a39da59a80e16ab1c2958
SHA1 cdcff50ea4c164c2384de71c0d38edb0b736f979
SHA256 aa1723a0ea55d1549614754baace9acfafada89391e7bfaa26e15e2e71586282
SHA512 fa35a7f35f0da812bb1cfc91feb9dc6166c601f96dbcefc623664e34a119b9a4b61490beb17df1b86e5c0a323d803ab66e8064c976d3d8a75199b52c40a382c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

MD5 27487aa1d8e40c652e3525d0e6c60beb
SHA1 f5c197c803e09015c3c60815d167860148470700
SHA256 de781b6c657e98c12c587e4302de161970b90e83e0d415b1575dac430a8d3c2e
SHA512 f90b5046e798514c4d16a16cff24d7c669656cfef24bf149db5d68127e90917d12615d9a60ccb18e5adf0050320ec22a74dc6accca3bae5fadbbc6d101888e0f

memory/4796-392-0x0000000000560000-0x0000000000A37000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin

MD5 671586a4e312d5be5654dc4aa414dbd1
SHA1 ffd2f33c20dcd882144f9b761909ceee04a28007
SHA256 862963d7633a29279573a343038802f1dd064ab4e228f57909867e52bdf06b67
SHA512 c48fd76d035592924f10a80c65785bf4100931d597943d656bf98c9292bb39fbadc5efd4fa9073ce5137d4f79b8c2ceaf8ef36265bc02b94f543ec7c878f6515

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 4512cc9bf1744ddbd11f930fdfc67c48
SHA1 7c63a0f248b0e3191a107f82ae7d3c00bc1857d2
SHA256 b910f5cc5f54d247a6799cde2a2e6b94b5315cd8748e0c8a9b1c512d2fde802a
SHA512 45af87019a132762fb2a48e580aafa05b9155e5ee0c885641aefd4efc84741d2cbbf17cace7640d61e2fd2598fac14ea34f6dc6ab0c0f829ab8d358fca506180

memory/4796-463-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/2968-465-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/2968-466-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/4796-471-0x0000000000560000-0x0000000000A37000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp

MD5 e91d87ed1f4a76b9289cab06052f1e97
SHA1 06878dd6664aaa1b1c2ec75571a09cf87a7b8b8e
SHA256 6cde51d1643a525891daf5d4107eede2a94a40f510fd62da9579d361dcce4c3b
SHA512 118736fbd478d7bf817c51e991ba580905c8ead47c0df1b2ec2f63162983e9e1422c2561ce8f61dece74f185ed2e2c4fd525c5170691f8f5afad36e77b555753

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 d1697a7678d189c83c19487c38fe3b4d
SHA1 d3c13869e483ee480b9e52e6ac526fe8427d0498
SHA256 76218f74d8f92b01316b5a6a675a52a0d706bcdac8c0eade336da785038b5bd5
SHA512 9a6d358ad4607e2c0d89fcc6e6ac10940733578078a9dd60d05006ab0bb03a29a536511f5e4b53ae3cb7c72be7622f74953de4f2643ddd71f6612dbcfe9edc68

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs-1.js

MD5 a7bd70daa16b30aef00ee75f0f8411a0
SHA1 afdba2bf0089a9271b05bcacdbd9fbef2ff3087c
SHA256 c2123b0792fe784617a7d351ab0d708bec9009138c43a6192ec3b930f0c28c41
SHA512 628da62eb509a8d5311f3257190356d0374d73d63a8b54b2f7523b415b24f6568826c7ab7157d6fc31ae6adb9a7d767d7361550e6510f97c3125c67e4e48bcc3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 aa17867febca8d5ddf53f417b3b9942a
SHA1 b3319543f6ae7586b85bf6161bfaafeeaf58b5a3
SHA256 71585170f59847f25faa643781535a94083c0ce133875752922b0469ee104c70
SHA512 1de557cdad0a38b00e7162163da5479d469bb88eb7a0a2b88d5049d001246720c89a5cd1e7355f80bfd4e26fc2d2cf427c284375b13f3f03ec8392df1848d750

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\prefs-1.js

MD5 fda5eb57c1e7ddf8ffb3ee2806b0a157
SHA1 1425d714f12d3654f74b76493ff9cbe8bcaeabf0
SHA256 42c203f4176bcf85e8eb56fb2ff53e6201f400fe832d81eeacea793641cbb104
SHA512 df835db8d2758069adbb94bc34a0eed9a4853c50de8397b13418f52285ce8e26e8861cc04df1e6010e00e8d08bfdfa1fd128c1b7437c6a20d2b2ea2d64459706

memory/4796-944-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/4796-2104-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/4796-2553-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/4796-2559-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/4796-2561-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/3492-2563-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/3492-2565-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/4796-2566-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/4796-2567-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/4796-2568-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/4796-2569-0x0000000000560000-0x0000000000A37000-memory.dmp

memory/4796-2570-0x0000000000560000-0x0000000000A37000-memory.dmp